Companies, schools, government chart course into cloud security

Cloud computing is blowing into 2013 on the winds of confidence, with IT professionals increasingly convinced that the security controls are adequate, but still very, very leery.

Take Len Peters, CIO at Yale University, who has undertaken a cost-benefit analysis of cloud-based services in comparison to on-premises software purchases, finding that not only are unit costs less for the kind of software-as-a-service (SaaS) he's most interested in, but that SaaS can also further the compliance and security goals the IT department has long espoused.

Last spring, Yale elected to migrate from an on-premises IT management application to the cloud-based ServiceNow. The economic analysis indicated a positive cost advantage within 13 months. But security and compliance considerations were and always are going to be critical factors in cloud-computing decisions, Peters says. Like many IT pros, he found himself asking the questions, "Is the cloud safe? What are the potential risks?"

The answer, he says, is yes, there are risks, but not necessarily any more than in your own environment if the proper security and contractual arrangements can be put in place with the cloud provider. What's more, use of cloud services can help speed the adoption of best practices that would further safeguard the university.

Yale is using ServiceNow to further its support of IT service management practices that are codified in the Information Technology Infrastructure Library. ITIL spells out IT baselines that organizations can use in planning and implementation of IT services, and also to measure themselves against.

"With ServiceNow, we can rapidly stand up ITIL processes," says Peters, noting these involve everything from incident-request to change management, which influences the daily workflow for IT support staff and have a baring on integrity of the university's entire IT environment. The ServiceNow cloud service also impacts Yale's Tivoli Endpoint Management software distribution used to manage computers Yale owns.

Yale is going to be looking at more cloud-computing options in the future for things such as human resources and ERP, Peters says. But not all cloud-based services are the same, either in how flexible they are in terms of contractual demands or security. For instance, Peters remains skeptical about cloud-based e-mail services, concerned about security and availability risks. But he notes that throughout higher education, the interest in cloud services runs high and everyone wants cloud providers to more quickly tackle risk-management issues.

Of course, not everyone agrees on where the cloud security issues lie. Some organizations, for example, are more than happy to leave e-mail management to the cloud.

Bernie McCormick, director of technology at the Mary McDowell Friends School in Brooklyn, says the school migrated to Google Apps for Education in part so it would no longer have to maintain an e-mail server (which turned out to be an advantage when the superstorm Sandy hit the New York area). The cloud-based Backupify service also played a critical role in that decision.

The Backupify client software, which is used on the faculty's Apple iOS and Google Android personal mobile devices in a "Bring Your Own Device" (BYOD) arrangement, gives the school's IT department the ability to wipe Google Apps folders if a smartphone or tablet is lost or stolen. McCormick, who says the school also uses the Barracuda Networks cloud-replication service for storage backup, foresees use of other cloud-based services in the future.

With security concerns abating, many others have turned that corner as well.

"We have strategically made a shift toward the cloud," says Osh O'Crowley, the CIO at AAA Northern California, Nevada and Utah (AAA NCNU), the regional part of the AAA that offers roadside assistance, insurance and travel amenities to its members. The enthusiasm for the cloud is not so much because of cost savings as it is the speed of obtaining applications and the benefit of not needing an army of IT staff to support it all, he says.

Within the last 18 months the AAA NCNU adopted ServiceNow as well as Salesforce.com for customer data and Workday for business-process applications. And it has also adopted MicrosoftOffice 365 cloud-based office apps Word and Excel for employees. AAA NCNU does retain a number of internal business applications, some mainframe-based.

To unify the authentication and provisioning process for both cloud and on premises applications, this AAA regional club is now going to move to the OneLogin cloud service. That way the 2,300 employees in its 100 offices can gain authorized single sign-on access to any of these applications, whether cloud or on premises. O'Crowley says he anticipates this shift to cloud-based single sign-on service being completed by April.

The way forward

Many other companies, as well as federal and local governments in the U.S. and around the world, are going through similar evaluations of secure, cloud-based computing options. In fact, according to Gartner, growth in cloud computing is the driving force that will shape 2013 security trends.

Gartner predicts that by 2015, 10% of overall IT security enterprise capabilities will be delivered in the cloud. While the focus today is clearly on messaging, Web security and remote vulnerability assessment, Gartner contends there will be more cloud-based security-focused services on the way, such as data-loss prevention, encryption, and authentication.

Gartner points out that the U.S. government will make progress in 2013 with its so-called FedRAMP Program that is defining security and compliance guidelines that are expected to drive adoption of cloud services by federal agencies.

The goal of FedRAMP is to get cloud-service providers that serve government agencies accredited for specific security practices over the next two years. These practices would include incident response in the cloud, forensics in a highly dynamic environment, threat detection and analysis in a multi-tenant environment and continuous monitoring for remediation, among other things. The idea is that service providers must be prepared to report security incidents of many types to the U.S. Computer Emergency Readiness Team (U.S-CERT) and the government agency that might be impacted. Cloud service providers that can't meet these requirements in theory won't be allowed to provide services to government agencies.

John Streufert, director of the National Cybersecurity Division of the Department of Homeland Security, recently spoke at the Cloud Security Alliance meeting in Orlando on how the government plans to deploy a so-called "Continuous Monitoring" capability that would include "Continuous Diagnostics and Mitigation" to protect civilian federal agencies' data from stealthy attacks. The contract solicitation, which is expected to be put out for bid soon, could extend to an estimated 25 million seats and will include cloud-based services as well as on-premises tools. Streufert says it will likely take a few years to complete.

The federal government's initiatives are drawing interest from organizations such as PricewaterhouseCoopers (PwC) that harbor aspirations of becoming a government-certified cloud-services security assessor in the future.

Cara Beston, cloud-assurance partner with the PwC risk-assurance practice, says enterprise customers still have reservations about putting sensitive data in the cloud, but the conversation has clearly changed. For example, CIOs that adopted cloud-based services for what were considered less-sensitive data are now weighing how they might use cloud-services to manage data regulated under the PCI payment card rules or Health Insurance Portability and Accountability Act healthcare regulation. However, sensitive information concerning things like source code and engineering designs are still generally considered off limits to the cloud today, she notes.

She points out that the cloud has sometimes put internal IT, security and compliance managers on the defensive because line of business managers may have gone around them entirely to select cloud services without asking their advice. This can be tough to fight, but Beston says one way IT can nip it in the bud is to make the IT service acquisition process more collaborative.